News & Insights

Home » News & Insights » Should Public Companies Disclose Cybersecurity Risks?

Should Public Companies Disclose Cybersecurity Risks?

Finance and Securities

The Securities and Exchange Commission (SEC) was faced with the issue of how public companies should disclose their cybersecurity risks and incidents to investors, particularly in light of the recent cybersecurity breaches over the past few years. Just last year, the Equifax cybersecurity breach impacted 143 million Americans, causing the company’s stock to dive, losing up to $5.3 million. The SEC sets out maintain a fair and efficient market; so what is the threshold of disclosure which public companies must make to protect the interests of investors?

Public companies, in fear of a cybersecurity threat, have protected private and consumer information by investing in new technology and services to help detect cyberattacks early on. The industry of cybersecurity is rapidly booming and collectively on average will cost domestic U.S. businesses about $6 trillion per year.[1] As the financial industry and business continue to integrate greater use of technology, companies have made it their priority to prevent cyberattacks in order to preserve company and consumer information as well as their reputation and stock price. As more public companies take steps to protect themselves from cybercrime, what information, if any, must they disclose to investors and other market participants?

In 2011, the SEC Division of Corporation Finance issued a guidance report regarding the methods public companies should take to disclose any associated cyber risks and their impact. The report stated that “material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures”.[2] The report explains that the information required for disclosure is based on different factors, most notably, “prior cyber incidents and the severity and frequency of those incidents.”[3] However, the 2011 disclosure guidance failed to be effective in practice. Despite the significant increase in cyber threats and recent breaches impacting large U.S. companies, public companies’ practices in disclosing these threats to investors has not improved. The issue is that the guidances are mere suggestions for public companies . Although certain disclosures may be required in conjunction with other reporting obligations, companies are not obliged to report cybersecurity risks alone.

In late February 2018, the SEC issued another guidance report regarding cybersecurity disclosures. “The guidance reminds companies that they should consider cybersecurity risks and incidents … [and] the importance of maintaining comprehensive policies and procedures.”[4] However, the problem is that the Commission’s power “is confined in what it can do in the context of guidance, without engaging in a formal rulemaking.”[5] This has led to insignificant changes from the 2011 to 2018 guidance. Commissioner Kara M. Stein notes that the new 2018 guidance on disclosures does not effectively address the significant impact cybersecurity has had on companies since 2011 – the reason being the SEC’s limitations on regulating the area. Acknowledging the importance of disclosure to protect the integrity of the market is a vital step. Public companies should take into consideration the SEC’s guidance in order to proactively prevent incidents such as the Equifax breach. The SEC acts to maintain a fair and efficient market, but the market players need to ensure they abide by and implement even informal policies in order to get ahead.

[1] SEC. (Feb. 21, 2018) “Statement on Commission Statement and Guidance on Pubic Company Cybersecurity Disclosures.” Available at: https://www.sec.gov/news/public-statement/statement-stein-2018-02-21. Accessed on March 2, 2018.

[2] SEC Division of Corporation Finance. (Oct. 13, 2011) “CF Disclosure Guidance: Topic No. 2.” SEC. Available at: https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm. Accessed on March 2, 2018.

[3] Ib.

[4] Op. Cit. n1.

[5] Ib.

Recent Posts

Is Your Co-Op or Condo ADA Compliant?

A shareholder in your co-op has recently become disabled and your building’s entrance is not fully accessible. Is the co-op responsible for modifying the entrance so it accommodates the disabled resident? Accommodations required by Title III of the American...

Check Your Condominium Purchase Agreement: a License for Use May be Taxed as Real Estate

The New York State Department of Taxation recently issued a Letter Ruling--an official document that provides guidance on how certain tax laws are to be interpreted and applied-- stating that licenses for parking and storage spaces are now classified as interests in...

Should You Buy a Condo or Co-op Through an LLC?

Buying an apartment through a Limited Liability Company or LLC may be a way to limit personal liability or protect assets, but it may not be a viable option. Even if it is, it might not be worth the trouble. In the first instance, the purchase of a cooperative...

Can Adult Children of Co-Op Shareholders Live in the Unit?

When it comes to allowing adult children to live in a co-op without the shareholder, a host of questions come into play, including the co-op’s rules about subletting and the terms of the proprietary lease. In a prior post about subletting a co-op, we explained that...

Co-Op Estate Planning in New York City: Two Options and Anticipated Concerns

New York City residents know that there are pros and cons to living in a co-op versus a condominium. One area of contrast is in estate planning, or the transfer of property to a beneficiary upon the resident’s death. Condo owners obtain the rights to the real property...